The title of the original post mentioned VPN but the description of the environment told us nothing about VPN. I don't know if there is anything about the VPN that would impact this discussion (such as is it DMVPN which facilitates full mesh connectivity). But knowing nothing about that aspect of the environment I would suggest that in a hub and spoke environment running EIGRP it is frequently set up so that each branch advertises its subnets to the hub and the hub advertises just a default route to the hub. Pending anything we might learn about the VPN environment I would suggest this hub and spoke approach.

HTH

Rick

Rick

yes it is hub and spoke, from both hubs (MAIN & DR) i have vti tunnels to each branch,

goal is to prevent branches from knowing each others subnets.

BRANCH-1

tunnel1

description %to MAIN%

ip address 1.1.1.69 255.255.255.252

tunnel2

description %to DR%

ip address 2.2.2.69 255.255.255.252

loopback3

description %LAN%

ip address 4.4.4.5 255.255.255.252

router eigrp 900

 network 1.1.1.68 0.0.0.3

 network 2.2.2.68 0.0.0.3

 network 4.4.4.4 0.0.0.3

no auto-summary

BRANCH-n

tunnel1

description %to MAIN%

ip address 1.1.1.73 255.255.255.252

tunnel2

description %to DR%

ip address 2.2.2.73 255.255.255.252

loopback3

description %LAN%

ip address 4.4.4.9 255.255.255.252

router eigrp 900

 network 1.1.1.72 0.0.0.3

 network 2.2.2.72 0.0.0.3

 network 4.4.4.8 0.0.0.3

no auto-summary

router MAIN

router eigrp 900

 network 1.1.1.0 0.0.0.255

no auto-summary

router DR

router eigrp 900

 network 2.2.2.0 0.0.0.255

no auto-summary

for now BRANCH-1 knows BRANCH-n subnets via eigrp(via MAIN & DR): 

 network 1.1.1.72 0.0.0.3

 network 2.2.2.72 0.0.0.3

 network 4.4.4.8 0.0.0.3

&

BRANCH-n knows BRANCH-1 subnets via eigrp(via MAIN & DR): 

network 1.1.1.68 0.0.0.3

 network 2.2.2.68 0.0.0.3

 network 4.4.4.4 0.0.0.3

BRANCH-1#trace 4.4.4.9 

 1 1.1.1.70 16 msec 4 msec 4 msec    (MAIN routers tunnel ip to BRANCH-1)
2 1.1.1.73 8 msec * 4 msec 

3 4.4.4.9

i want that BRANCH-1 didnot knew BRANCH-n subnets (1.1.1.72, 2.2.2.72, 4.4.4.8) and  BRANCH-n didnot knew BRANCH-1 subnets.

which is best way to accomplish this task?

thanks

Thank you for clarifying that it is dual hub and spoke with vti tunnels. There are several ways that you can achieve that branch routers do not see routes for subnets at other branches. You could use a distribute list for each hub vti tunnel which would permit advertisement of 0.0.0.0 and deny everything else. But the simple solution is on each hub vti tunnel use EIGRP summary address to advertise 0.0.0.0. That way each branch receives only the default route and not subnets from other branches.

HTH

Rick

Hi George, from the Hub you can apply a distribute-list based on a ACL that permits the traffic you want to be know by the spokes

let's say 

int T1

description to Spoke A

int T2

description  to Spoke B

access-list 1 permit 1.1.1.0

access-list 2 permit 2.2.2.0

router eigrp 1

distribute-list 1 in Tunnel1

distribute-list 2 in Tunnel2

Regards

HTH

Sorry my question was not fully clear spokes need to know only /30 routes 

I appreciate your attempt to clarify what you want to accomplish. But saying that you want spokes to know only /30 routes is not helpful since every route in your explanation was /30. The spoke routes to the hub (using networks 1.1.1 and 2.2.2) are /30 as well as the other route (which logically would be its lan) is /30.

I believe that I understand what you want to accomplish which is that each spoke does not receive advertisement of routes from any other spoke. If that is your requirement then my suggestions are still valid. You could achieve this by configuring distribute lists and applying to each tunnel on the hub routers. But the easier and better solution will be to use eigrp summary address on the hub tunnels to advertise only a default route to each spoke.

HTH

Rick